Messages

Maybe a hardware issue?

Do you have any switches in your network? Is there a possibility of a loop?

Sorry, I should be more clear.

LAN1 will be assigned the IP address 192.168.1.1.
LAN2 will be 192.168.2.1
LAN3 will be 192.168.3.1

Under Services -> DHCPv4
Set the subnet and mask to 192.168.1.0 and 255.255.255.0

Then configure the DHCP range.

This is like a basic configuration. Is this something like how yours is setup?

I'm using one of those machines. I like it.

I don't know what the problem is, but I just want to make sure you did some things first.

I have LAN1, LAN2, LAN3, and WAN assigned in the interfaces.
Each LAN has a different network range. For example:
LAN1 192.168.1.0/24
LAN2 192.168.2.0/24
LAN3 192.168.3.0/24

Then, DHCP each LAN.

Is this similar to your setup?

Finally got it working.

In the Public Service, under Client Certificate Auth, I have it Enabled.
Verification: required
Certificate Authorities: I choose my intermediate CA in OPNsense
Certificate Revocation Lists: Nothing selected (Leave blank)

Just by changing the Revocation list to Nothing, it works!

I don't know what is going on since I don't have any revoked certs in the CRL.
But I did notice that in OPNsense System -> Trust -> Revocation that particular CRL says No under In Use.

Just an update. I think I found the issue, but there's another problem.

When I go to Services: HAProxy: Maintenance: SSL Certificates tab, I don't see any certs there. The table is empty and it says, No Results Found! I've stopped and started the HAproxy service from the dashboard, restarted it, and I've rebooted OPNsense. I can't seem to get the certs loaded on this page. I've enabled the Cron job to sync SSL certs and nothing happened after the scheduled time.

Also, the two buttons for:
Show diff: Show difference between configured SSL certificates and SSL certificates from the running HAProxy service.
Apply changes: Apply all changes by syncing all shown SSL certificates into running HAProxy service.

When I click them, nothing happens.

Been stuck for a few days and hope the forums will help!

I'm running HAproxy. When I don't enable the Client Certificate Auth on the HAproxy Public Service, everything works well. When I enable it, I get ERR_BAD_SSL_CLIENT_AUTH_CERT even though I have a valid client cert installed.

My setup:
I've created a root CA, intermediate CA, and a couple client certs (signed with the intermediate) on OPNsense.
I have a basic nginx vm running with a cert signed with my intermediate. I have installed the intermediate cert and a client cert on my Android phone.

When I try and connect with Chrome, I get asked to select a client cert, then it gives me the error message. It's like HAproxy doesn't check the CAs I selected. (please see attached pic.)

Here is what part of my HAproxy config file looks like:

Code Select Expand


# Frontend: homeproxy_frontend (homeproxy_frontend)
frontend homeproxy_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl ca-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.calist verify required crl-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.crllist crt-list /tmp/haproxy/ssl/6487e7ccd48e14.01589139.certlist
    mode http
    option http-keep-alive
    default_backend homeproxy_backend

    # logging options

# Backend: homeproxy_backend (homeproxy_backend)
backend homeproxy_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server homeproxy-server homeproxy.example.com ssl sni str(homeproxy.example.com) verify required ca-file /tmp/haproxy/ssl/64838ae1e21fe5.61086700.calist


I'm stumped as to why HAproxy doesn't like client cert auth. Anyone have any suggestions?

Thanks!